Secrets to the best passwords

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

While you would think secure password creation wouldn't be a problem 
in this day and age, imagine my shock and suprise when I recieved this 
mail from a local domain registry & hosting company that I have a 
domain with (not for much longer).

>       Please be aware that we have tightened up username and
> password integrity.  We now only allow uppercase and lowercase
> alphanumeric characters to be used in usernames and passwords.  
> All other characters have been stripped out of your username and
> password.  Please use the forgot password feature at
> https://www.********.com/pages/login.asp to retrieve your updated
> username and password.  We apologize for any inconvenience this has
> caused you.

Scary eh?

William Knowles
wk () c4i org


-=-


http://www.computerworld.com/securitytopics/security/story/0,10801,82883,00.html

By Peter H. Gregory
JULY 09, 2003
Computerworld 

The use of good, hard-to-guess passwords can make it difficult for a 
malicious hacker to break into your computer account. Avoiding 
predictable keywords and using different methods to introduce variety 
into your passwords makes it easy for you to remember them but 
virtually impossible for others to guess them. 
Here are some tips on creating winning passwords.

Use keywords related to a theme. Choose a common, significant event: a 
honeymoon, the birth of a child, a new car, a new job.

Example phrases associated with a birth might be blueeyes, hurry, 
onemorepush, crankyRN, coldbracelet, roomsix and icechips. Ideas 
associated with a new car could be deepblue, 6CDs, 5speed and 
TiresThatGrip.

The idea here is that you use a variety of words associated with an 
event that other people would not readily guess. Remember that you may 
also need to mix in uppercase letters and numbers when you create a 
new password. For instance, "hurry" could become hUrry66 or Hur5ry.

Substitute numbers for letters based upon their appearance. With a 
little imagination, you can visualize numbers that bear resemblance to 
letters.

Number Letter 

1      L 
2      Z 
3      E 
4      A 
5      S 
6      b 
7      Z 
8      B 
9      g 
0      O 

When you create a password, substitute a number where a letter would 
appear, according to the chart above. Some examples: 

* scuba becomes 5cu8a 

* water becomes w4t3r 

* icecream becomes 1c3cr34m


Substitute numbers for letters based upon their location on the 
keyboard. The uppermost row of letters on the keyboard, QWERTYUIOP, 
has a row of numbers right above it: 1234567890. You can substitute a 
number for a corresponding letter according to this chart. 

Number Letter 

Q      1 
W      2 
E      3 
R      4 
T      5 
Y      6 
U      7 
I      8 
O      9 
P      0 

So when you create a password, carry out the substitution from the 
chart. Some examples: 

* scuba becomes sc7ba 

* purple becomes 07r0l3 

* rocket becomes 49ck35 


Consistently capitalize the nth letter(s) of your password. Some 
systems require that at least one character be uppercase. Many people 
capitalize the first character, but this is too predictable. Instead, 
always capitalize the second, third or fourth letter, or perhaps 
always the last or next-to-last. Some examples: huRry, roCky, puRple, 
roCket. 

For further interest, you can capitalize more than one letter, for 
instance the first and third, or the second and fourth

Avoid predictable week-to-week or month-to-month changes. One example 
of a predictable pattern to avoid: eyesJan01, eyesFeb02, eyesMar03, 
etc. If someone was lucky enough to discover your password long ago, 
you don't want him to be able to predict what it will be in the 
future.

Store passwords in Counterpane Labs' Password Safe tool. All passwords 
are encrypted with the robust Blowfish algorithm. A nifty feature of 
Password Safe is that when you double-click on a previously stored 
password entry, it silently copies it to the clipboard so you can 
paste in the password even if others are watching you type.

Check the quality of your password at SecurityStats.com. This Web site 
performs calculations based on the complexity and "guessability" of 
your password and tells you how good your password is. Remember that 
your password is transmitted over the Internet in the clear, so you 
should try similar passwords instead of your actual passwords to get 
an idea of the characteristics of a good one.

Adopt ISO17799 password quality guidelines. Ask the IT department to 
implement best practices for password management in accordance with 
ISO17799, a widely recognized information security standard. According 
to the standard, here are some guidelines for passwords: 

* They should be at least six characters long. 

* They should be free of consecutive identical characters. 

* Don't use all numbers or all letters. 

* Avoid reusing or recycling old passwords. 

* Require that passwords be changed at regular intervals. 

* Force users to change temporary passwords at the next logon. 

* Maintain a record of previous user passwords and prevent their 
  reuse. 

* Change all vendor default passwords. 

* Eliminate or lock shared user accounts. 

Warning: Don't use any of the password examples that appear in this 
article! 

A note about password length: Some infosec professionals will bristle
at ISO17799's recommendation for a mere six characters in a password.  
Some have told me that six characters is insufficient, based on the
time it takes to crack a password. My response is this: Typically,
hackers don't care about the length of passwords when choosing to
crack open a computer account.

Organizations are rife with guest accounts, group accounts, accounts
with no passwords, a lack of password expirations, passwords that can
be easily guessed and opportunities to exploit technical weaknesses or
perform social engineering. With all of these easy opportunities,
computer accounts with good six-character passwords are only a trifle
weaker than those with eight-character passwords. My point is that
infosec professionals need to focus more on the compliance of good
user account hygiene than on the length of passwords - it will bear
much better results.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence 
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.